[nycbug-talk] freebsd jails: running nfs client?
Isaac Levy
ike at lesmuug.org
Fri Mar 17 17:09:54 EST 2006
Hi N.J.,
On Mar 17, 2006, at 4:42 PM, N.J. Thomas wrote:
> I know there are some people on the list whose jail-fu is quite
> strong.
> I have a question for you guys: Is it possible to mount an NFS
> filesystem from inside a jail?
There's 2 ways to approach this:
1) Outside the jail (host system)
+ you are able to mount the nfs volume from the host, at a mount
point within the jail instance userland.
It should be noted, however, that there are security implications
doing anything from the host system, that is visible to the jailed
systems, and this strategy throws in a lot of complexity and variables.
2) Inside the jail
- if you are using FreeBSD 4.x, no way jose (at least not in any
supported fashion).
- if you are using FreeBSD 5.x, you should be able to- but I'll not
comment on FreeBSD 5.x
+ if you are using FreeBSD 6.x, you should be able to. It is
noteworthy that you may want to adjust 'security.jail.enforce_statfs'
with sysctl, to make certain applications within the jail can
actually see the mount point! (like mount itself, or umount)
>
> jail(1) seems to imply that it is, but Googling gives me mixed results
> (some people say yes, other people say no).
I'd think some people would have troubles if the jail can't 'see' the
mount point, with the statfs(2) syscall.
The jail(8) man page says it better than I can:
security.jail.enforce_statfs
This MIB entry determines which information processes in a
jail are
able to get about mount-points. It affects the behaviour
of the
following syscalls: statfs(2), fstatfs(2), getfsstat(2) and
fhstatfs(2) (as well as similar compatibility syscalls).
When set
to 0, all mount-points are available without any
restrictions. When
set to 1, only mount-points below the jail's chroot
directory are
visible. In addition to that, the path to the jail's
chroot direc-
tory is removed from the front of their pathnames. When
set to 2
(default), above syscalls can operate only on a mount-
point where
the jail's chroot directory is located.
>
> I tried it and
> I can run "mount_nfs machine:/dir /foo" from a normal host just fine,
> but inside a jail it doesn't seem to work, I get:
>
> mount_nfs: /foo: Operation not permitted
From your host machine, try:
# sysctl security.jail.enforce_statfs=1
And then try the mount again inside the jail?
Also, I'm not sure, but NFS may require raw sockets? The jail
manpage explains this command:
# sysctl security.jail.allow_raw_sockets=1
>
> On a similar note, if NFS inside a jail is doable, I would presume
> that
> running amd would work as well?
I would think so, but I've not done or seen it. Give it a shot?
Good luck- report back!
Best,
.ike
>
> thanks,
> Thomas
>
> --
> N.J. Thomas
> njt at ayvali.org
> Etiamsi occiderit me, in ipso sperabo
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>
More information about the talk
mailing list